GPSolo Magazine - December 2005

Spyware Exorcising the Demons

By Sharon D. Nelson and John W. Simek

Lost computer users have no idea how rampant spyware has become, or how invasive it can be. Would you be surprised, even terrified, to hear that we find spyware on the majority of law firm computers we examine? The percentage skyrockets when we examine home computers, which are generally less protected. So do you ever work from home? It is truly frightening to think how vulnerable client data is to spyware. How much does spyware cost a would-be snoop? Not much: $30 to $100 is a common range, a cheap price for a heinous invasion of privacy.

If you’ve never thought much about spyware, consider this. In a recent survey, 67 percent of network administrators rated spyware as this year’s most significant problem, with viruses running at 23 percent and phishing running far behind at 10 percent. Webroot, a producer of anti-spyware software, released its “State of Spyware Report” in May 2005 (www.webroot.com), indicating that 88 percent of consumer machines and 87 percent of corporate machines were infected by some kind of spyware. No wonder it is so popular—the same report estimated that spyware is generating $2 billion annually.

What Constitutes Spyware?

No one quite agrees on a definition for spyware, but generally speaking, it is software installed on a computer without the target user’s knowledge and meant to monitor the user’s conduct. Some spyware will record everything the user does, the sites visited, instant messaging, e-mail, and document preparation. Some spyware is used to gather personal identifying information such as passwords, credit card numbers, and Social Security numbers, all useful for those interested in fraud and identify theft. Other spyware programs will hijack your web browser, reset your home page, add toolbars, alter search results, or send popup ads that cannot be closed—all intended to hawk some vendor’s products.

Recently, spyware has become insidiously clever. Many programs come with a reinstaller; as soon as you attempt to remove it, it reloads itself. Many forms of spyware hide in Windows files and even mimic the file names so the average user would have no idea that the files are in fact shielding spyware. The latest wrinkle with spyware is that it can turn the infected machine into a spam zombie. This means that your computer is being used as a relay point to send spam messages without your knowledge. This is probably not a law firm’s first choice of how to use its computer network.

One of the most common spyware programs we see is the CoolWebSearch utility, which is affiliated with more than 1,000 web domains. It exploits unpatched browser holes to install itself, after which it slows your computer, changes bookmarks, displays popup ads for pornographic websites, and redirects search engine queries. Another infamous nuisance is Claria’s GAIN (Gator Advertising Information Network), which places ads over web pages, tracks the site visits, and frequently impedes computer performance, sometimes even causing crashes. It is no wonder that spyware has become a modern-day scourge.

Keystroke loggers (monitoring every keystroke) are still fairly rare. They seem to have three primary uses: business spying, relationship spying, and monitoring children. Take a look at our screenshot in Figure 1 from the well-known keystroke logger KEYKatcher, showing one attorney writing to a colleague in his firm. The image is complete with misspellings and corrections (“BS” means backspace), every keystroke having been captured. Imagine the chaos this e-mail could cause if someone were monitoring the lawyer’s machine and chose to release the information.

What Is Adware? Is It Spyware?

Those who are responsible for adware will have conniptions if you tell them their products are spyware. Typically, adware is installed when you install a separate program such as shareware. If you click something and agree to install adware, it may not be classified as spyware because you technically agreed to the download. However, if you (or very likely, your children) want to install a neat screensaver, cool game, or swap music/movie files via a peer-to-peer (P2P) sharing program, chances are that the downloader will never read the user agreement and will simply hit “I agree.” This is how most adware and spyware finds its way into a computer system. Mind you, there are more insidious ways of installing adware, including “drive-by downloads” from websites and malicious cookies.

True adware, however, isn’t meant to steal your personal financial information or monitor your personal shenanigans. Usually it is used to send information to marketers about your surfing and buying habits to assist them in general marketing and to target you in particular, especially with popup ads, spam, and their unwelcome brethren.

Who Is Likely to Have Spyware?

The more correct question is who doesn’t have spyware? Although studies disagree, it is clear that between 80 and 95 percent of all computers have some form of spyware on them. In November 2004, America Online and the National Cyber Security Alliance released a study in which 77 percent of computer users felt they were safe from spyware. In fact, 80 percent of their systems were infected.

What Are the Warning Signs?

Given the odds, if you look at your computer and think it’s looking back at you, you’re probably right. Here are some of the warning signs:

a sudden proliferation of popup ads

a change in the Internet home page

the appearance of new toolbars

the appearance of new icons in the system tray at the bottom of your computer screen

Two more quick points. Yes, there are free anti-spyware programs. Some are better than others; still, our testing consistently shows that the free software doesn’t measure up to the software that comes with a price tag (two of our favorites are Spy Sweeper and Counter Spy). Given the low price of the for-sale programs, it’s better not to be penny-wise and pound-foolish. Moreover, we wouldn’t go near a Microsoft anti-spyware program. Why? It’s not necessarily the quality of the product—it’s Microsoft’s allure to all the cyber villains of the world, who can’t resist writing code that specifically attacks Microsoft’s programs. Then again, perhaps it is the quality—or the integrity—of the product. Microsoft’s recent acquisition talks with Claria (Gator’s new name) and the delisting and reclassifying of spyware detected/deleted by other vendors’ products gives one pause: In the case of Claria, Microsoft suddenly changed the default action of its anti-spyware program to identify but not delete Claria. Microsoft apparently believes that spyware should be identified and deleted—unless the offender has a business relationship with Microsoft. More than one wag has noted that the fox is volunteering eagerly to protect the henhouse.

Too many people believe they are OK if they have up-to-date antivirus software. Wrong. A lesser number believe they are safe if they’ve checked the installed programs listing, the add/remove panel, the standard startup area, and they’ve pressed Control Alt Delete simultaneously on their computer without anything mysterious showing. Also wrong. The entire point of spyware is to cloak itself so that standard methodologies will not detect it.

Besides having good anti-spyware programs, you want to make sure your operating system and web browsing software are updated regularly in order to close vulnerabilities that may have been patched by the manufacturer. Also, download free software only from sites you know and trust. Read the license agreements of any software you download. Keep your browser security setting at “Medium” or higher to minimize “drive-by downloads.” Don’t click on links in popup windows—they may contain spyware. Don’t click on links in spam, which often carry spyware. Make use of personal firewalls on home machines. Consider changing browsers to FireFox ( www.mozilla.org/products/firefox), which will also minimize “drive-by” downloads, alhough spyware has begun to target FireFox, too.

Finally, good computing habits will help minimize spyware. Don’t install file-swapping programs (monitor your kids and your employees on this issue). Virtually all file-swapping programs are loaded with spyware. Don’t allow the installation of silly, unnecessary programs likely to carry spyware—those neat screensavers and freebie utilities just aren’t worth it. Be intelligent about opening e-mail and attachments—if you don’t recognize the sender, delete, delete, delete. Finally, do not browse the Internet indiscriminately—sites offering lots of things for free are probably offering spyware for free as well, though you may not know it until too late. Pornography sites (paid or free!) are notorious for having affiliate relationships with those who want to install spyware on your computer.

Do YOU Have Spyware?

Having heart palpitations? How do you know if you have spyware on your computer? Use the free systems audit at www.webroot.com/services/spyaudit_03.htm. You may be very surprised, even horrified, at the results.

Who’s watching you?

Sharon D. Nelson and John W. Simek are, respectively, president and vice president of Sensei Enterprises, Inc., a legal technology and computer forensics firm based in Fairfax, Virginia. They can be reached atsensei@senseient.comor via their website,www.senseient.com.